PureRAT = ResolverRAT = PureHVNC

PureRAT is a Remote Access Trojan, which can be used by an attacker to remotely control someone else’s PC. PureRAT provides the following features to an attacker:

• See the victims user interface
• Interact with the victim PC using mouse and keyboard
• View the webcam
• Listen to the microphone
• Record keystrokes
• Upload and download files
• Proxy network traffic through victim

What the PureRAT user interface looks like to the attacker

PureRAT is the exact same malware as what Morphisec and others call ResolverRAT. PureHVNC, on the other hand, is the predecessor to PureRAT. These three malware names are all used by threat intel companies and researchers when referring to the same malware family. We will call this malware family “PureRAT” in this blog post.

Indicators of PureRAT

Malware analysts might recognize PureRAT through properties like these ones:

• Loader is a .NET executable obfuscated with Eazfuscator.NET
• Payload is AES-256 encrypted in CBC mode
• Payload is gzip compressed
• Extracted PureRAT payload is a DLL
• PureRAT DLL is packed with .NET Reactor
• A malicious assembly is injected by registering a handler for the ResourceResolve event

See analysis by eSentire, Morphisec, Kaspersky, Fortinet and 0xlibris for more reverse engineering details on PureRAT and related software from the PureCoder developer(s).

Another way to identify the malware is to run it in a sandbox and inspect the network traffic. The following characteristics are typical indicators of PureRAT:

• C2 TCP port is often 56001, 56002 or 56003
• Client (bot) first sends 04 00 00 00 (in hex), followed by a TLS handshake
• Client and server run TLS 1.0
• X.509 cert is self signed
• X.509 cert expires 9999-12-31 23:59:59 UTC

As you can see in the flow transcript above, CapLoader currently identifies this traffic as “ResolverRAT”. This detection will most likely be changed to “PureRAT” in future versions of CapLoader.

IOC List

Here are some IP:port tuples for C2 servers used by recent samples of PureRAT:

• 193.26.115.125:8883
• purebase.ddns[.]net:8883
• 45.74.10.38:56001
• 139.99.83.25:56001

Posted by Erik Hjelmvik on Tuesday, 12 August 2025 15:43:00 (UTC/GMT)

Tags: #PureCoder​

PureLogs Forensics

I analyzed some PureLogs Stealer malware infections this morning and found some interesting behavior and artifacts that I want to share.

PureLogs infections sometimes start with a dropper/downloader (PureCrypter) that retrieves a .pdf file from a legitimate website. The dropper I will demo here downloaded this file:

hxxps://www.vastkupan[.]com/wp-admin/js/Daupinslenj.pdf

This file isn’t really a PDF though, but more on that later. Here’s a CapLoader screenshot with some interesting flows from the infection:

The PCAP in the screenshot above comes from a sandbox execution on any.run of a file called BSN100357-HHGBM100002525.exe.

Here’s a breakdown of what happens behind the scenes in this execution:

1. Dropper connects to www.vastkupan[.]com (DNS and TLS flows).
2. A fake PDF (Daupinslenj.pdf) is downloaded over HTTPS.
3. The fake PDF is decrypted to a DLL (PureLogs), which is stored in memory.
4. InstallUtil.exe is started.
5. The PureLogs DLL is injected into the running InstallUtil process.
6. PureLogs connects to C2 server at 91.92.120.101:65535

The same dropper has also been run on JoeSandbox, with almost identical behavior. The vastkupan.com website belongs to a legitimate company (Västkupan Fastigheter).

The PDF that Wasn’t

This is what the downloaded “PDF” looks like:

So, what’s up with all that “171171” data? Let’s XOR with “711” and see what we get.

The downloaded PDF turns out to be a .NET DLL file with MD5 38d29f5ac47583f39a2ff5dc1c366f7d. This is the file that was injected into the otherwise legitimate InstallUtil process. Some PureLogs droppers use RegAsm.exe instead of InstallUtil though (see JoeSandbox and any.run).

IOC List

Droppers (MD5):

• 711d9cbf1b1c77de45c4f1b1a82347e6
• 6ff95e302e8374e4e1023fbec625f44b
• e6d7bbc53b718217b2de1b43a9193786
• a9bc0fad0b1a1d6931321bb5286bf6b7
• 09bb5446ad9055b9a1cb449db99a7302

Dropper TLS handshake signatures:

• JA3: 3b5074b1b5d032e5620f69f9f700ff0e
• JA4: t12d210700_76e208dd3e22_2dae41c691ec

Payload URLs:

• hxxps://www.vastkupan[.]com/wp-admin/js/Cicdwkknms.pdf
• hxxps://www.vastkupan[.]com/wp-admin/js/Daupinslenj.pdf
• hxxps://www.new.eventawardsrussia[.]com/wp-includes/Ypeyqku.pdf

Payloads (MD5):

• ab250bb831a9715a47610f89d0998f86 (Cicdwkknms.pdf)
• cec53e8df6c115eb7494c9ad7d2963d4 (Daupinslenj.pdf)
• eedc8bb54465bd6720f28b41f7a2acf6 (Ypeyqku.pdf)

Decrypted payloads:

• MD5: 38d29f5ac47583f39a2ff5dc1c366f7d
• SHA1: fc8b0ee149027c4c02f7d44cc06cade3222bb6b6
• SHA256: 8d7729ca0b25a677287076b4461304a21813e6f15053e190975512e58754988f

PureLogs C2:

• 91.92.120.101:62520 (old)
• 91.92.120.101:65535 (new)

Update 2025-07-16

Additional PureLogs payloads have been found on vastkupan.com.

Payload URLs:

• hxxps://www.vastkupan[.]com/wp-admin/js/Cxqyoub.dat
• hxxps://www.vastkupan[.]com/wp-admin/js/Qlwxqgsag.dat

Cxqyoub.dat is decrypted by XOR-ing with "414".

Qlwxqgsag.dat is a DLL with reversed content.

Payloads (MD5):

• 22a304ea9c006e2ccb2f6110c4d3f53f (Cxqyoub.dat)
• d5b6607ee4718506eb4970c02cf286cd (XOR decrypted DLL from Cxqyoub.dat)
• 062d2a5906fac4c2ef07c6b43141e19c (Qlwxqgsag.dat)
• 40624de03bc3c53331b6e903d9e3860f (DLL from reversed Qlwxqgsag.dat)

C2 server:

• 91.92.120.102:62050

See JoeSandbox and any.run for sandbox executions of the dropper aa06d06ddb6d3801c70cc1991f393112 (retrieves Cxqyoub.dat), and JoeSandbox and any.run for c45a95dc7ebc8c78217cd996a8f6dda7 (gets Qlwxqgsag.dat).

Update 2025-07-21

Yet another PureLogs payload found on vastkupan.com.

• Dropped by: 031a9c2f44881f4db1c6f6d88a540206
• URL of encrypted DLL: hxxp://www.vastkupan[.]com/wp-admin/js/Kplbc.pdf
• Encrypted DLL MD5: 6ed3c9b70ca02d1c558d1ef9a8aaab77
• C2: 65.108.24.103:62050

Sandbox executions are available on JoeSandbox and any.run.

Update 2025-07-30

Additional encrypted PureLogs DLLs found on vastkupan.com

• Dropped by: 67861615d765d0c59d65e8d4454e5ffc
• URL of encrypted DLL: hxxps://www.vastkupan[.]com/wp-admin/js/Qytqk.pdf
• Encrypted DLL MD5: 668a42bdfd253e0d54716cd115479b9f
• C2: 91.92.120.102:62050 (same as Cxqyoub.dat and (Qlwxqgsag.dat)

• Dropped by: 031a9c2f44881f4db1c6f6d88a540206
• URL of encrypted DLL: hxxps://www.vastkupan[.]com:443/wp-admin/js/Kplbc.pdf
• Encrypted DLL MD5: 6ed3c9b70ca02d1c558d1ef9a8aaab77
• C2: 65.108.24.103:62050

• Dropped by: 07ff4006101f117aa4f198c984a45137
• URL of encrypted DLL: hxxps://www.vastkupan[.]com/wp-admin/js/Pnnvrpjewlq.vdf
• Encrypted DLL MD5: 98cf831688941cc8bccfe1e8a33c9c16

• Dropped by: a1fd8053b49442028d66e3adea550d19
• URL of encrypted DLL: hxxps://www.vastkupan[.]com/wp-admin/js/Niose.wav
• Encrypted DLL MD5: 067086aff11080357b92931e96ecebae

• Dropped by: 3cf704e64cbba6560663ec45ce2dabc2
• URL of encrypted DLL: hxxps://www.vastkupan[.]com:443/wp-admin/js/Frfkft.vdf
• Encrypted DLL MD5: c9bac721c9b6f2900fd3d8ed922bc759
• C2: 91.92.120.101:7705

• Dropped by: 486d6c9cbdb638f9d574c58459676ed9
• URL of encrypted DLL: hxxps://www.vastkupan[.]com/wp-admin/js/Skrcygatz.dat
• Encrypted DLL MD5: a3cf5108315a06d564c97c8367994fd1
• C2: 216.250.252.231:2080

Update 2025-07-31

Turns out the whole /wp-admin/js/ directory on Västkupan's website allows directory listing. Among the files in that directory is "New PO 102456688.exe", which drops PureLogs.

• Filename: New PO 102456688.exe
• MD5: b2647b263c14226c62fe743dbff5c70a
• C2: 147.124.219.201:65535

See executions on Tria.ge and any.run for details.

Posted by Erik Hjelmvik on Wednesday, 02 July 2025 11:52:00 (UTC/GMT)

Tags: #PureLogs​ #PureCoder​ #3b5074b1b5d032e5620f69f9f700ff0e​ #JoeSandbox​